NL1011800C2 - Method and device for cryptographically processing data. - Google Patents

Description

f *

Short designation: Method and device for cryptographically processing data.

BACKGROUND OF THE INVENTION

The invention relates to a method for cryptographically processing data, comprising supplying values, namely the data and a key, to a cryptographic process, and executing the process to form cryptographically processed data. Such a method is known in practice.

In practice, generally known processes are often used for cryptographic processing of data. Examples of such cryptographic processes (algorithms) are DES and RSA, which are described, for example, in the book "Applied Cryptography" by B. Schneier (2nd edition), New York, 1996.

These processes are published because it was assumed that, with a sufficiently large key length, it would be impossible to retrieve the original data and / or the key from the processed data, even if the cryptographic process was known.

However, attacks based on knowledge of the cryptographic process have recently been discovered. In other words, because the behavior of the process is known, it becomes considerably easier, in certain attacks, to retrieve the key used and / or the original data. It will be clear that this is undesirable.

SUMMARY OF THE INVENTION

The object of the invention is to solve the above-mentioned problem by indicating a method and circuit for performing a cryptographic process which make the retrieval of the key considerably more difficult or even impracticable when using a known (i.e. public) cryptographic process. According to the invention, a method of the type mentioned in the opening paragraph is for this purpose characterized by supplying auxiliary values to the process in order to mask the values used in the process.

Masking the data and / or key (s) makes it considerably more difficult to trace these values based on the behavior of the process. The result of the process, ie the set of processed data, can be unchanged with a suitable selection of the auxiliary values, that is to say identical to the result of the process if no auxiliary values are added thereto. In this context, an "auxiliary value" is understood to mean a value (data or key), which is supplied to the process in addition to the corresponding data and key.

The invention is therefore based on the insight that the conversion of the values used in a cryptographic process is considerably complicated if these values are masked by means of auxiliary values.

The invention is partly based on the further insight that the use of auxiliary values does not necessarily influence the result of the process.

In a first embodiment of the invention, an auxiliary value comprises an additional key that is supplied to an additional process to form the key.

By applying a combination of a known process and an additional process, a new, per se unknown cryptographic process is formed, even if the additional process is also known per se.

By deriving the key (primary key) used for the known process from an additional key (secondary key) 20 by means of an additional process, it is achieved that not the (primary) key of the known process but the additional (secondary) key is offered to the combination of processes. In other words, externally the additional (secondary) key and not the actual (primary) key of the actual process is used. Deriving the key from the original data and the edited data has therefore become impossible. It is also very difficult to cancel the additional key, because the combination of the original process and the additional process is unknown.

This embodiment of the invention is therefore based, inter alia, on the insight that the knowledge of a cryptographic process is undesirable, contrary to what has hitherto been assumed. This embodiment is also based on the further understanding that attacks that build on process knowledge become significantly more difficult if the process is unknown.

Preferably, the additional process includes a cryptographic process. This makes it easier to trace the additional key. In principle, however, for example, a simple coding such as 6Ί18 0 0 3 additional process can be used. An auxiliary key is preferably used in a cryptographic process.

Advantageously, the additional process is an invertible process. This makes it possible to apply the method according to the invention to existing equipment with minimal changes. For example, if a first device issues an (additional) key that is used in a second device according to the invention, in the first device the inverse of the additional process can be used to derive the additional key from the original key. In other words, although the original (primary) key is used internally in both the first and second devices, the additional (secondary) key is exchanged between the devices. However, intercepting the additional key does not lead to knowledge of the original key.

It may be advantageous if the additional process is performed only if the data has predetermined properties. In this way, cryptographic editing can be performed only for certain, selected data, while it is blocked for all other data. In this way, additional protection is achieved.

Optimum security is provided if the process and the additional process are each composed of a number of steps, and in which steps of the process and the additional process are alternately carried out. This further obscures the properties of the known process, making it even more difficult to trace back the keys.

In a second embodiment of the invention, the process comprises a number of stages, each including a cryptographic operation for processing the data derived right data and a combining operation for combining the processed right data with data derived left data to form modified left data. data, in which the right data with a primary auxiliary value and the left data with an additional auxiliary value are combined prior to the first stage. As a result, the data used in the stages and transferred between the stages are masked.

In order to make it possible that the primary and additional auxiliary values do not affect the final result of the process pi 0 i 18 00 4, preferably immediately after the last stage, the right data with a further primary auxiliary value and the modified left data with a further additional auxiliary value combined.

In order not to allow the result of the operations to be influenced by the primary auxiliary values, the method according to the invention is preferably carried out in such a way that the right-hand data, in each stage and prior to the operation, are combined with the primary auxiliary value of that stage.

A further protection is achieved if the processed right 10 data, after the processing, is combined with a secondary auxiliary value of that stage.

Advantageously, the secondary auxiliary value of a stage is formed from the combination of the primary auxiliary value of the previous stage and the primary auxiliary value of the next stage. This makes it possible to compensate the auxiliary value in the subsequent stage, so that this auxiliary value will not affect the end result of the process.

It is possible to carry out the method according to the invention in such a way that all primary auxiliary values are equal. This makes a very simple practical realization possible. However, the use of different auxiliary values, which are preferably random numbers and regenerated each time the process is run, provides greater cryptographic security.

A further simplification of this embodiment can be obtained if the primary auxiliary values and / or secondary auxiliary values are each time combined with the respective operation. That is, combining with auxiliary values is processed in the respective operation (for example, a substitution) so that the result of the respective operation is equal to that of the original operation plus one or two auxiliary value combination operations. By including the combination operations in the machining in advance, a simpler and faster practical realization is possible.

Said combination operations are preferably performed by means of an exclusive or operation. However, other combination operations, such as binary addition, are also possible in principle.

The invention further provides a circuit for performing a method for cryptographically processing data. The invention also provides a payment card and a payment terminal which are provided with such a circuit.

The invention will be explained in more detail below with reference to illustrative embodiments shown in the figures.

BRIEF DESCRIPTION OF THE DRAWINGS

Fig. 1 schematically shows a prior art cryptographic process.

FIG. 2 schematically shows a first cryptographic process according to a first embodiment of the invention.

Fig. 3 schematically shows a second cryptographic process according to a first embodiment of the invention.

Fig. 4 schematically shows a way in which the processes of FIG. 15 1 and 2 can be performed.

Fig. 5 schematically shows a multistage cryptographic process of the prior art.

Fig. 6 schematically shows a first cryptographic process according to a second embodiment of the invention.

FIG. 7 schematically shows a second cryptographic process according to a second embodiment of the invention.

Fig. 8 schematically shows a third cryptographic process according to a second embodiment of the invention.

Fig. 9 schematically shows a circuit in which the invention is applied.

Fig. 10 schematically shows a payment system in which the invention is applied.

PREFERRED EMBODIMENTS

A (cryptographic) process P according to the prior art is schematically shown in figure 1. Input data X and a key K are applied to the process P. Using the key K, the process P converts the input data X into (cryptographically) processed output data Y: Y - PK (X). Process P can be a known cryptographic process, such as DES (Data Encryption Standard), triple DES, or 'ESA (Rivest, Shamir & Adleman).

If the Input data X and the output data Y are known, it is in principle possible to trace the key K used. With a key of sufficiently long length (ie, a sufficiently large number of bits), it has hitherto been considered impossible to retrieve this key, even if the process P was known. Implausible in this case means that while it is theoretically possible, for example 5 by trying all possible keys, to find out the key used, this requires an unusually long calculation time.

Such a brute force attack ("brute force attack") is therefore hardly a threat to cryptographic security.

Recently discovered attacks, however, use knowledge of the process, which can drastically reduce the number of possible keys. This enables the used key K and / or the input data X to be derived from the output data Y within acceptable calculation times.

The principle of the invention, which aims to make such attacks considerably more difficult and time-consuming, is shown in FIG. 2 shown schematically. As in fig. 1 input data X and a (secret) key K are supplied to a (known) process P to generate output data Y.

In contrast to the situation of fig. 1 in the situation 20 of FIG. 2 the key K is supplied from an additional process P * to the process P. The additional process P * has an additional (secondary) key K * as input data to produce, under the influence of an auxiliary key K ', the (primary) key K as output data. Thus, the key K is not turned, as in the situation of FIG. 25 1, supplied from an external source (for example, a memory) to the process P, but is generated by the process P * from the additional (secondary) key K *: K - P * K, (K)

Thus, it is the secondary key K * instead of the primary key K which is predetermined and stored, for example, in a key memory (not shown). In accordance with the invention, the primary key K supplied to the process P is not predetermined.

The auxiliary key K 'may be a permanently stored predetermined key. It is also possible to use an additional process P * in which no auxiliary key K 'is used.

The combination of the processes P and P * forms a new process, which is schematically indicated as Q. The process Q, which is unknown per se because of the additional process P *, is the input data X and the (secondary) key K * supplied to produce the output data Y. The relationship between the secondary key K * and the primary key K is obscured by the additional process P *.

The additional process P * is preferably the inverse of another invertible process R. That is, P * - R'1.

This makes it possible to generate the secondary key K * with the aid of R and the auxiliary key K 'from the primary key K: 10 K * - RK, (K), as will be explained in more detail later with reference to Figure 5. Optionally, the new process Q can be extended with the process R, so that the primary key K is supplied to the process Q instead of the secondary key K *. In that case, the primary key K is derived in the process Q from: K - P * K, (K *) - P * K, (RK, (K)).

This makes it possible to use the same (primary) key as in the prior art.

The process shown in FIG. 3 schematically shown cryptographic process Q 20 according to the invention also comprises a process P with a primary key K and an additional process P * with an auxiliary key K ', wherein the primary key K is extracted from the additional key K * by the additional process P * distracted. In addition to the process of Fig. 1, in this case, the input data X is also supplied to the additional process P * 25, so that the primary key K is determined partly in dependence on the input data X: K - P * R, (K *, X)

This provides additional cryptographic protection. Moreover, this offers the possibility of executing the additional process P * only if certain input data are offered. That is, the additional process P * may include a test of the input data X and the execution of the additional process P * may depend on the result of that test. For example, the additional process P * can only be performed if the last two bits of the input data X are zero. The effect of such input data dependent operation is that the correct primary key K will be produced only for certain input data X, so that only those input data yield the desired> 1011800 uitgang output data Y. It will be clear that this further enhances cryptographic security.

Fig. 4 schematically shows the manner in which sub-steps of processes P and P * can be performed alternately (interleaving) in order to further increase the protection against attacks. The sub-steps can comprise so-called "rounds", as is the case with DES, for example. Preferably, however, the sub-steps comprise only one or a few instructions from a program with which the processes are executed.

In a first step 101, a first sub-step Pj of the process P is performed. Then, in a second step 102, the first sub-step Pj * of the additional process P * is performed. Likewise, in a third step 103, the second sub-step P2 of the process P is carried out, etc. This continues until the last sub-step Pn * of the additional process P * is performed in step 110, assuming for the sake of the example that the processes P and P * comprise the same number of sub-steps. If not, the last corresponding sub-step is performed in step 110, and the remaining sub-steps are performed in further steps.

By alternating the sub-steps of the process P known per se and the (possibly also known per se) process P *, a series of sub-steps can be obtained which does not correspond to that of a known process. This makes the nature of the process more difficult to recognize.

The process shown in FIG. 5 The schematic and prior art cryptographic process P shown only by way of example comprises a number of stages (i.e. Sj, S2 ....... Sn). In each stage, (right) data RDj ^ are applied to a cryptographic operation Fj_. This cryptographic operation can itself comprise a number of sub-steps 30, such as an expansion, a combination with a key, a substitution and a permutation, which, however, are not indicated separately for the sake of simplicity of the drawing. The cryptographic operation Fj ^ provides processed data FDj_: FD1 - F ^ RD ^.

In a combination operation CC ^ (CCj, CC2 ...... the index i always indicates the relevant stage S), the processed data FDj ^ with left data LDj ^ are combined into modified (left) data SD ^ as well as the original right data RD are passed to the next, 1 »1011800 9 stage. The combination operations CC ^ are preferably exclusive-of-operations (symbol: ®).

As shown in Fig. 5, at the end of each stage St, the modified left data and the right data RDt change position 5 so that they respectively change the right data RD1 + 1 and the left data LDi + i of the next stage S1 + 1 to shape.

The left data LDj and the right data RDX of the first stage Sj are derived in a preliminary operation from input data X and may thereby undergo a preparatory operation, such as an input permutation PP. The output data SDn and RDn of the last stage Sn constitute the processed data Y of the process P, possibly after they have undergone a final processing, such as an output permutation PP'1.

The cryptographic process of FIG. 6 largely corresponds to that of FIG. 5. According to the invention, the data present in and between the stages are masked with auxiliary values.

To this end, in this embodiment, the preliminary stage Sj precedes (preparatory) combination operations DC and EC, which are preferably also exclusive or operations. These combine, respectively, the left data LDj and the right data RDj, which come from the preliminary operation (PP), with a zero auxiliary value A0 and a first auxiliary value Aj, respectively. The results of the combination operations DC and EC are left-masked data LD'j and right-masked data RDj ', respectively (in the remainder of this text, masked data will be marked with an accent). The 25 masks have an effect in the following steps. Since the left data of the second stage S2 is equal to the masked right data of the first stage S1, this left data LD'2 is also masked. The second stage right hand data RD2 'is masked since it is the same as the masked modified data SDj'.

Combining the data LDj ^ and RDt with the auxiliary values At thus results in the modified data LD ^ and RD ^ being masked, making it considerably more difficult to extract the original data X or the key used from the masked data LD ^ and RD ^.

In order to remove the auxiliary values Aj ^ prior to the final operation (PP * x), final combining operations FC and GC ^ are provided, which store the modified and masked left data SD'n of the final stage Sn with an auxiliary value A ^ j respectively the masked V »·. . · Pt011 800 Combine 10 right data RDn 'with an auxiliary value Ajj. Due to ® A1 «0, the masks are removed in this way by the auxiliary values Aj ^. This makes it possible to carry out the method in such a way that, despite the use of the auxiliary values Δt, the end dates Y are equal to those used with the conventional method according to FIG. 5 would have been obtained.

In order to exclude the influence of the auxiliary values AL on the results FD ^ of the operations Ft, an additional combination operation AC ^ is preferably present in each stage which combines the right-hand data 10 RDt with a (primary) auxiliary value A ^ before these data are fed to the cryptographic operation Fj ^. The result of each additional combination operation ACj ^ is unmasked right data RDj ^, so that the cryptographic operation Ft operates on the same data as in the process of FIG. 5.

Advantageously, a further combination operation between the cryptographic operation FA and the combination operation CC ^ may be inserted for the purpose of combining the processed (right) data FDj ^ with a further (secondary) auxiliary value Bj ^. As a result, a masking of the processed data FDj ^ and a further masking of the (modified) left data SD ^ can be achieved. Preferably, the combination operations ACt and BC ^ are also exclusive or operations.

In accordance with a further aspect of the invention, the auxiliary values Aj ^ and Bj ^ are related. The secondary auxiliary values Bt are preferably formed by means of an exclusive or operation from the primary auxiliary value A ^ j of the previous stage and the primary auxiliary value A1 + i of the following stage:

Bi = Ai-1 ® Al + 1

As a result, each primary auxiliary value A1 + 1 which, by means of a further additional combination operation BCL, as a component of the secondary auxiliary value Bt, is combined with the processed right-hand data FDi in each case in the next stage, ie in stage Si + 1, by a combination operation AC ^ is compensated before the respective right hand data RD1 + 1 is subjected to the processing Fj ^. The (masked) right data RD ^ constituting the (masked) left data LDi + 1 '35 of the next stage St + 2 are combined there with the primary auxiliary value Ai + 1 and thus compensated. The auxiliary value A1 + 1 works through in the modified data SDj /, so that it remains masked between two stages.

0 11 8 0 0 11

The left data LDj of the first stage Sx are masked with the additional or zero (primary) auxiliary value Ag. By combining with the secondary auxiliary value Bj - Aq ® Az, the initial auxiliary value A0 is removed (due to A0 «A0 - 0), but the auxiliary value A2 and the 5 masking thereby achieved are retained. The zero auxiliary value Ag in this embodiment is preferably chosen equal to the first auxiliary value Ax.

Although all primary auxiliary values At are preferably chosen differently, with the exception of Ag - Aj, it is possible to choose all 10 primary auxiliary values Aj ^ equally. In that case, all secondary auxiliary values Bj ^ in the illustrated embodiment are zero, so that the further combination operations BC ^ can be omitted. Furthermore, the invention also applies to processes P which comprise only one stage S, or which have a different structure. In the process of FIG. 7, which largely corresponds to that of FIG. 6, the combination operations ACt and BCt and the cryptographic operation Ft are integrated in each stage into a combined operation F ^. Integration of the combination operations into the operations Ft is possible, for example, by appropriately adjusting a substitution table of the operation F ±. Therefore, the additional combination operations ACt and BC ^ can be omitted, and the result of the modified operation F ^ is equal to the result of the total of the actual operation Fj ^ and the combination operations: 25 FDt '- F1' (RD1 ') - Bt Ft (A1 e RDi ').

In principle, each stage requires a different combined operation Fa, in which different auxiliary values are integrated (see Fig. 6). Only if the auxiliary values Δt are chosen equal, ie Aj-Aj- .... Ajj, the combined operations FA in this embodiment can be the same.

Preferably, the values Ai are selected again each time the process is performed. This means for the process of Fig. 7 that then also the combined operations F1 'are redetermined. Since the operations F ^ in many implementations will involve the use of multiple tables, such as substitution tables, these tables will be redetermined each time the process P is run. In order to provide additional protection against attacks, according to a further aspect of the invention, the tables * 1011800 12

Determined in a random order. For example, if a combined operation includes eight tables, these eight tables are determined in a different order each time this Fj / operation is performed. This sequence can be determined on the basis of the contents of a sequence register, which contents can each be formed by a random number from a random generator. On the basis of the contents of the sequence register, a look-up table can be compiled again and again. With the look-up table, the tables can be written to a memory and read out 10 later.

According to a further aspect of the invention, in addition to or instead of, the elements of each table can be determined and / or stored in any order. This measure also ensures that protection against attacks is improved. In this case, too, a look-up table can be used, by means of which the elements can be retrieved later.

The aforementioned measures can also be applied in other embodiments of the invention, such as that of Figs. 8, or in entirely other cryptographic or non-cryptographic processes.

The embodiment of FIG. 8 largely corresponds to that of FIG. 7. In addition to Fig. 7, in each stage Slt, except for the last stage Sn, a combination operation HC ^ is included which combines the right hand data RDA with a tertiary auxiliary value W ±. Preferably, the tertiary auxiliary value is equal to the exclusive or combination of the auxiliary values Aq and Aj: W - Aq ® Aj, where Aq * Aj.

This results in the operation HCj ^ always adding the zero auxiliary value A0 and compensating the first auxiliary value Aj. This allows all cryptographic operations Ft to be essentially identical, requiring much less processing and / or storage capacity of a processor system with which the method is performed. In the embodiment of FIG. 8, the operations F / 'are such adaptations of the original operations F1 (that they are corrected for the auxiliary value Aj and additionally combine the tertiary auxiliary value W = Aq ® Aj with their result. With other "words, if RDt ® Aj to F" the result is equal to FDj / - F1 (RD1) s W.

1011800 * 13

Those skilled in the art will appreciate that the combination operations ACj ^ BCt and Η0 ± can be performed at other locations in the cryprographic process P to achieve a similar or even identical effect.

In FIG. 9 schematically shows a circuit 10 for implementing the method according to the invention. The circuit 10 comprises a first memory 11, a second memory 12 and a processor 13, the memories 11 and 12 and the processor 13 being coupled by means of a data bus 14. By providing two memories, it is possible in each case to perform a partial step of one of the processes P and P * (see Fig. 4), to store the result of that partial step in, for example, the first memory 11, and from the second memory 12 to transfer a previous intermediate result of the other process to the processor 13. In this way it is possible to efficiently carry out the alternating calculation of sub-steps of two different processes.

The process shown in FIG. 10 a schematically shown payment system comprises an electronic payment means 1 and a payment station 2. The electronic payment means 1 is, for example, a so-called "smart card", i.e. a card which is provided with an integrated circuit for storing and processing payment data. The payment station 2 comprises a card reader 21 and a processor circuit 22. The processor circuit 22 can correspond to the circuit 10 of FIG. 9.

At the beginning of a transaction, the payment means 1 transfers an identification (card identification) ID to the payment station 2. On the basis of this identification, the payment station 2 determines a key that will be used for this transaction. This identification ID can be applied as input data X (see Figures 1-3) to a cryptographic process which produces an identification-dependent transaction key KID as output data Y on the basis of a master key MK. In accordance with the invention, the process shown in Figures 2 and 3 is used for this purpose, in which the master key MK is previously converted into an additional master key MK * by means of a process R. This additional master key 35 MK * is now, preferably together with the identification ID

according to fig. 3, fed into the additional process P * to reproduce the original master key MK and derive the transaction key K1D from the identification ID.

1011800

IA

Although a single additional process P * is shown in Figures 2 and 3, multiple processes P *, P **, p ***, ... may be used in series and / or parallel to complete the primary key K to lead.

It will be clear to those skilled in the art that many modifications and additions are possible without departing from the scope of the invention.

1011800

Claims (25)

Method for cryptographically processing data, comprising supplying values to a cryptographic process (P), namely the data (X) and a key (K), and executing the process (P) to cryptographically processed data (Y), characterized by adding auxiliary values (K *; A, B) to the process (P) to mask the values (K; D) used in the process (P). A method according to claim 1, wherein an auxiliary value comprises an additional key (K *) which is supplied to an additional process (P *) to form the key (K). The method of claim 2, wherein the additional process (P *) comprises a cryptographic process to which an auxiliary key (K ') is applied. The method of claim 2 or 3, wherein the additional process (P *) is an invertible process. The method of claim 2, 3 or 4, wherein the data (X) is also supplied to the additional process (P *). 6. Method according to claim 5, wherein the execution of the additional process (P *) only takes place if the data (X) have predetermined properties. 7. A method according to any one of claims 2-6, wherein the process (P) and the additional process (P *) each consist of a number of steps, and in which steps of the process (P) and the additional process ( P *) are executed. Method according to any of the preceding claims, wherein the process (P) comprises a number of stages (S ^, each with a cryptographic operation (F1 (, F1 ")) for processing right-hand data (RD) derived from the data (X) ^ and combining operation (C ^ for combining left data (LD ^) also derived from the data (X) the processed right data (FD ^) to form modified left data (SDj ^), and prior to the first stage (Sj), the right data (RDj) with a primary auxiliary value (Aj) and the left data (LDj) with an additional auxiliary value (A0) are combined. The method of claim 8, wherein, immediately after the last stage (Sn), the right data (RDn) with a further primary auxiliary value (Ajj) and the modified left data (SDn,) with a further additional auxiliary value (An + 1 ) are combined. Ibii8oo The method of claim 8 or 9, wherein the right data (RD ^, in each stage (S ^ and prior to the processing (Fj /), is combined with the primary auxiliary value (At) of that stage (S ^). The method of claim 10, wherein the processed right data 5 (FDj ^), following the processing (Fj ^), is combined with a secondary auxiliary value (Bj_) of that stage (S ±). 12. A method according to claims 10 and 11, wherein the secondary auxiliary value (B ±) of a stage (S ^) is formed from the combination of the primary auxiliary value (At_j) of the previous stage and the primary auxiliary value (A1 + 1) of the next stage. A method according to any one of claims 8-12, wherein all primary auxiliary values (At) are equal. Method according to any one of claims 9-13, wherein the primary auxiliary values (At) and / or secondary auxiliary values (Bt) are each pre-combined with the respective operation (F ^). The method of claim 14, wherein a combined operation (F ^) includes multiple tables, and wherein the tables are determined in a different order each time the process (P) is performed. The method of claim 14 or 15, wherein a combined operation (Ft ') includes multiple tables, and wherein the elements of the tables are determined and / or stored in a different order each time the process (P) is performed . 17. Method as claimed in claim 16, wherein the sequence for the purpose of reading the elements is stored as a look-up table. The method of any one of claims 8-17, wherein the right data (RD ^, after each stage (S ^) is combined with an auxiliary tertiary value (W ^). The method of claim 18, wherein the tertiary auxiliary value 30 (Wt) in all stages except the last (Sn) is equal to the combination of the primary auxiliary value (Aj) of the first stage (Sj) and the additional auxiliary value (A0) , and in the last stage (Sn) equals 0. 20. A method according to any one of claims 8-19, wherein the combining is performed by an exclusive or operation. A method according to any one of the preceding claims, wherein the data (X) comprises identification data of a payment means (1) and the processed data (Y) is a diversified key. A method according to any preceding claim, wherein the process (P) comprises DES, preferably triple DES. Circuit (10) for performing the method according to any of the preceding claims. Payment card (1), provided with a circuit (10) according to claim 23. Payment terminal (2), provided with a circuit (10) according to claim 23. * * 1011800